package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.ArtifactResolutionConfiguration;
import java.text.MessageFormat;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.common.binding.artifact.SAMLArtifactMap;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.binding.SAML2ArtifactMessageContext;
import org.opensaml.saml2.core.ArtifactResolve;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution.class */
public class ArtifactResolution extends AbstractSAML2ProfileHandler {
    private SAMLArtifactMap artifactMap;
    private final Logger log = LoggerFactory.getLogger(ArtifactResolution.class);
    private SAMLObjectBuilder<ArtifactResponse> responseBuilder = getBuilderFactory().getBuilder(ArtifactResponse.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder = getBuilderFactory().getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution$ArtifactResolutionRequestContext.class */
    public class ArtifactResolutionRequestContext extends BaseSAML2ProfileRequestContext<ArtifactResolve, ArtifactResponse, ArtifactResolutionConfiguration> implements SAML2ArtifactMessageContext<ArtifactResolve, ArtifactResponse, NameID> {
        private String artifact;
        private SAMLObject referencedMessage;

        public ArtifactResolutionRequestContext() {
        }

        public String getArtifact() {
            return this.artifact;
        }

        public void setArtifact(String str) {
            this.artifact = str;
        }

        public SAMLObject getReferencedMessage() {
            return this.referencedMessage;
        }

        public void setReferencedMessage(SAMLObject sAMLObject) {
            this.referencedMessage = sAMLObject;
        }
    }

    public ArtifactResolution(SAMLArtifactMap sAMLArtifactMap) {
        this.artifactMap = sAMLArtifactMap;
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml2:query:artifact";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        ArtifactResponse buildArtifactErrorResponse;
        ArtifactResolutionRequestContext artifactResolutionRequestContext = new ArtifactResolutionRequestContext();
        try {
            decodeRequest(artifactResolutionRequestContext, hTTPInTransport, hTTPOutTransport);
        } catch (ProfileException e) {
            buildArtifactErrorResponse = buildArtifactErrorResponse(artifactResolutionRequestContext);
        }
        if (artifactResolutionRequestContext.getProfileConfiguration() == null) {
            String format = MessageFormat.format("SAML 2 Artifact Resolve profile is not configured for relying party ''{0}''", artifactResolutionRequestContext.getInboundMessageIssuer());
            artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", format));
            this.log.warn(format);
            throw new ProfileException(format);
        }
        checkSamlVersion(artifactResolutionRequestContext);
        SAMLArtifactMap.SAMLArtifactMapEntry sAMLArtifactMapEntry = this.artifactMap.get(artifactResolutionRequestContext.getArtifact());
        if (sAMLArtifactMapEntry == null || sAMLArtifactMapEntry.isExpired()) {
            String format2 = MessageFormat.format("Unknown artifact ''{0}'' from relying party ''{1}''", artifactResolutionRequestContext.getArtifact(), artifactResolutionRequestContext.getInboundMessageIssuer());
            this.log.error(format2);
            artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", format2));
        }
        if (!sAMLArtifactMapEntry.getIssuerId().equals(artifactResolutionRequestContext.getLocalEntityId())) {
            String format3 = MessageFormat.format("Artifact issuer mismatch.  Artifact issued by ''{0}'' but IdP has entity ID of ''{1}''", sAMLArtifactMapEntry.getIssuerId(), artifactResolutionRequestContext.getLocalEntityId());
            this.log.warn(format3);
            artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", format3));
        } else {
            if (!sAMLArtifactMapEntry.getRelyingPartyId().equals(artifactResolutionRequestContext.getInboundMessageIssuer())) {
                String format4 = MessageFormat.format("Artifact requester mismatch. Artifact was issued to ''{0}'' but the resolve request came from ''{1}''", sAMLArtifactMapEntry.getRelyingPartyId(), artifactResolutionRequestContext.getInboundMessageIssuer());
                this.log.warn(format4);
                artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", format4));
                return;
            }
            artifactResolutionRequestContext.setReferencedMessage(sAMLArtifactMapEntry.getSamlMessage());
            buildArtifactErrorResponse = buildArtifactResponse(artifactResolutionRequestContext);
            artifactResolutionRequestContext.setOutboundSAMLMessage(buildArtifactErrorResponse);
            artifactResolutionRequestContext.setOutboundSAMLMessageId(buildArtifactErrorResponse.getID());
            artifactResolutionRequestContext.setOutboundSAMLMessageIssueInstant(buildArtifactErrorResponse.getIssueInstant());
            encodeResponse(artifactResolutionRequestContext);
            writeAuditLogEntry(artifactResolutionRequestContext);
        }
    }

    protected void decodeRequest(ArtifactResolutionRequestContext artifactResolutionRequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Decoding message with decoder binding '{}'", getInboundMessageDecoder(artifactResolutionRequestContext).getBindingURI());
        }
        artifactResolutionRequestContext.setCommunicationProfileId(getProfileId());
        artifactResolutionRequestContext.setMetadataProvider(getMetadataProvider());
        artifactResolutionRequestContext.setInboundMessageTransport(hTTPInTransport);
        artifactResolutionRequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        artifactResolutionRequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        artifactResolutionRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        artifactResolutionRequestContext.setOutboundMessageTransport(hTTPOutTransport);
        artifactResolutionRequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        try {
            try {
                SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(artifactResolutionRequestContext);
                artifactResolutionRequestContext.setMessageDecoder(inboundMessageDecoder);
                inboundMessageDecoder.decode(artifactResolutionRequestContext);
                this.log.debug("Decoded request from relying party '{}'", artifactResolutionRequestContext.getInboundMessageIssuer());
            } catch (MessageDecodingException e) {
                artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Error decoding artifact resolve message"));
                this.log.warn("Error decoding artifact resolve message", e);
                throw new ProfileException("Error decoding artifact resolve message");
            } catch (SecurityException e2) {
                artifactResolutionRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", "Message did not meet security requirements"));
                this.log.warn("Message did not meet security requirements", e2);
                throw new ProfileException("Message did not meet security requirements", e2);
            }
        } finally {
            populateRequestContext(artifactResolutionRequestContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getAttributeAuthorityDescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        ArtifactResolve inboundSAMLMessage = baseSAMLProfileRequestContext.getInboundSAMLMessage();
        if (inboundSAMLMessage == null || inboundSAMLMessage.getArtifact() == null) {
            return;
        }
        ((ArtifactResolutionRequestContext) baseSAMLProfileRequestContext).setArtifact(inboundSAMLMessage.getArtifact().getArtifact());
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        Endpoint selectEndpoint;
        if (getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            selectEndpoint = (Endpoint) this.acsEndpointBuilder.buildObject();
            selectEndpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
        } else {
            BasicEndpointSelector basicEndpointSelector = new BasicEndpointSelector();
            basicEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            basicEndpointSelector.setMetadataProvider(getMetadataProvider());
            basicEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            basicEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            basicEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            basicEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            selectEndpoint = basicEndpointSelector.selectEndpoint();
        }
        return selectEndpoint;
    }

    protected ArtifactResponse buildArtifactResponse(ArtifactResolutionRequestContext artifactResolutionRequestContext) {
        DateTime dateTime = new DateTime();
        ArtifactResponse buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(dateTime);
        populateStatusResponse(artifactResolutionRequestContext, buildObject);
        if (artifactResolutionRequestContext.getFailureStatus() == null) {
            buildObject.setStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", null, null));
            buildObject.setMessage(artifactResolutionRequestContext.getReferencedMessage());
        } else {
            buildObject.setStatus(artifactResolutionRequestContext.getFailureStatus());
        }
        return buildObject;
    }

    protected ArtifactResponse buildArtifactErrorResponse(ArtifactResolutionRequestContext artifactResolutionRequestContext) {
        ArtifactResponse buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(new DateTime());
        populateStatusResponse(artifactResolutionRequestContext, buildObject);
        buildObject.setStatus(artifactResolutionRequestContext.getFailureStatus());
        return buildObject;
    }
}
